@dangoodin no, I don't think so, pointing out the psychological effect hype has on people was helpful

@maxa Most real-world deployments of PQC these days are using both a classical and a PQ scheme in parallel, so that you have to break both the classical and PQ scheme to actually break the crypto

@twifkak Well, I don't know if there is a well-defined standard of care, but AES parameters are chosen such that breaking a single AES key would take significantly more time than the age of the universe, storage contributed by every single particle in the universe, etc. (I don't know if those are exactly technically accurate statements, but that's the kind of qualitative security we're getting with AES -- see e.g. https://eprint.iacr.org/2019/1492.pdf.)

@Ichinin @filippo @estark I have no confusion about the purpose of symmetric crypto vs PQC primitives. I think you misunderstood my question; I’m pointing out the discrepancy in how conservative we are in estimating attackers’ abilities for classical vs PQ crypto. I could have asked the same question about classical signature schemes, for example, instead of AES.

nb: I am not asking a question for which the answer is “store-now-decrypt-later”, “it’ll take a long time to universally deploy PQC”, or “quantum computers don’t exist and never will”. I think the answer I’m looking for is that “quantum computer is overhyped and people, especially security people, have a natural tendency to push back against hype”.

A lotta people misunderstanding my question, so let me rephrase: some people think PQC is a boondoggle because quantum computers that can break modern crypto are so far in the future or even will never exist. But isn’t defending against inconceivably strong attackers the standard of care for cryptography?